Combating a New Breed of Financial Hackers

Our personal and financial information are at risk like never before. Fortunately, there are companies developing technology to combat these increasingly sophisticated attacks.

This article is published with permission from InvestmentU.com.

My wife and I got a letter from Neiman Marcus in the mail a couple of weeks ago. It began with these sobering words, “We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores.”

It was all stupidity and silliness from there.

The store admitted to “a criminal cyber-security intrusion” first discovered Jan. 1. It didn’t admit to much else. It forgot, for example, to mention that the breach lasted from July 16 to Oct. 30 of last year.

Instead, the apology immediately segued into damage control mode. It said “We want you to always feel confident shopping at Neiman Marcus.” And this: “We aim to protect your personal and financial information.” And reassured us, “Your PIN was never at risk.

Perhaps thinking ahead of a future and more devastating breach, the letter added, “The policies of [the credit cards] provide that you have zero liability.

Phew, that’s a relief!

No harm, no foul: REALLY?

Well, not really. The letter’s message of “no harm, no foul; all’s well that ends well” bordered on the ridiculous.

What was Neiman Marcus really thinking? It took Congress to find out. In sworn testimony, Michael R. Kingston, chief information officer at Neiman Marcus, said the malware used was “exceedingly sophisticated.” He added that it had a “zero percent detection rate” by antivirus software.

Let me repeat that: “Zero percent detection rate.” Neiman’s antivirus software was, quite literally, 100% useless.

We got a similar letter from Target. It included a new store card. The Target episode exposed the personal data of as many as 110 million customers. That’s more than a third of the population of the United States!

A New York Times article exposed in chilling detail how these cybercriminals pulled off the heist. The coding that snatched customers’ data changed according to the instructions received from its handlers, in real time.

Goliath wins again

The testimony Congress heard last week revealed just how dangerous the situation has become. Today’s hackers have developed Goliath-like abilities to access supposedly protected personal information. And the retailers have morphed into helpless Davids against these invasive tactics.

The experts are betting on Goliath. Listen to these snippets of Congressional testimony…

James A. Reuter, on behalf of the American Bankers Association, said “the criminals are often one step ahead as the marketplace searches for consensus.”

Mallory Duncan of the National Retail Federation declared, “Data breaches are a fact of life in the United States.”

And Kingston—the CIO of the store that sent me a letter saying “We want you to always feel confident shopping at Neiman Marcus” —argued that “once standards were made public, criminals would figure out how to get around them.

The scary thing is they’re probably understating the problem.

This past January alone, according to another New York Times article, “instances in which data became vulnerable include the University of California, Davis health system, Snapchat, Coca-Cola, the message boards of the Straight Dope website, Skype, the ’wichcraft sandwich chain and the federal Veterans Affairs Department…”

Okay, maybe it was just one of those months. But investigators don’t think so. They believe that Target was part of a bigger campaign aimed at another half dozen major retailers.

Javelin Strategy & Research says, “We’re expecting this to be a major contributor, if not the primary driver of card fraud for the next 12 months.”

By the way, kudos to the Times for staying on top of this growing epidemic. Perhaps they’re so attuned to the issue because they themselves were hacked by China in 2013.

Is there anything that can be done?

As a matter of fact, there is.

Adopting Europe’s widely used EMV technology, which is a small chip embedded in each card, makes it almost impossible to counterfeit credit cards.

But it’s not nearly enough. For one, the card data itself can still be taken and used for online purchases.

And the technology misses a huge hole in retailers’ security efforts to date. It’s not just the credit cards in your wallet that are exposing you to cybercriminals.

It’s also the smartphone in your pocket.

Where did the majority of attacks on mobile devices come from? Fraudulent banking apps. Once they slip into app stores, it’s almost impossible to tell the fraudulent ones apart from the real apps.

In a LinuxInsider report, Jack Walsh, mobility program manager at ICSA Labs, says, “The goal is to get these copycat apps into consumers’ hands. When the user inputs account information, instead of being transmitted to the real bank, they go to fraudulent servers.”

Another gaping vulnerability, according to Kevin Surace, CEO of Appvance, is in the Cloud.

“Every company is rapidly deploying new apps for their customers. They are increasingly hosted in the cloud and made specifically for mobile devices. The problem is, coders have limited knowledge of scalability and security. And most organizations rely on inadequate code analysis tools to reveal security issues lurking in the code and integrations.”

Who is stepping up?

Tripwire and TraceSecurity are two of a handful of cybersecurity companies that provide advanced software and malware analysis tools.

Surace’s Appvance uses the cloud to “simulate” millions of users piling into an app simultaneously. Where “white hat” security scans end is where Appvance begins. Nobody, a major investor in the company told me, has done this before.

The cybercriminals may hold the advantage now. But the demand for solutions is urgent and growing. The market has taken notice. It will fill this gaping need, as software security companies are increasingly drawn into this fast-expanding space.

And, I believe, startups and young tech companies will be leading the charge.

Andrew Gordon is a member of the Investment U Research team and writes for The Oxford Club’s Early Investing newsletter. Read more articles by Andrew here.

The information contained in this article should not be construed as investment advice or as a solicitation to buy or sell any stock. Nothing published by Physician’s Money Digest should be considered personalized investment advice. Physician’s Money Digest, its writers and editors, and Intellisphere LLC and its employees are not responsible for errors and/or omissions.